For many organizations, a move to Office 365 brings new options for accessing services, such as Microsoft Exchange, over the Internet. Even though many organizations provide access to Outlook Web App, Outlook Anywhere or ActiveSync, some don’t want end users to access email from an Internet cafe, a personal device or anywhere outside the office. If your organization fits into the latter category, you should build a Client Access Policy.
Office 365 is an Internet-based service, which means that unless you buy Microsoft’s dedicated offering, all clients must traverse the public Internet to access it. Some organizations mandate client access be from secured (often corporate) devices.
Out of the box, one advantage of Office 365 is you don’t need to be on a corporate device. You can access provided services, including installing Outlook and downloading email, from anywhere with Internet connectivity. For some organizations, especially those that work with financial or personal information, the ability to connect any device this way means they could potentially breach regulations or internal business policies.
For Office 365 to be a viable technology, moving services such as email to it means having the ability to restrict who can access it — and from where — as well as what’s essential. But it’s more complicated than restricting who and what can access the Active Directory Federation Services (AD FS) servers federated with Office 365.
Outlook is an active client, which means the client sends the username and password to Office 365, which then reaches out and authenticates on the end user’s behalf. Unless you only want to use basic browser-based services such as OWA and SharePoint, you’ll need to provide access to AD FS from Office 365 addresses. By default, any Outlook client with the correct credentials can authenticate whether or not the AD FS servers are exposed to the wider Internet.
Microsoft knows this is a requirement for many organizations, so it built in a feature called Client Access policies.